0

I'm looking to setup autologon/'keep you logged in' for a social website I'm building.

There is a tickbox for the user to enable this feature and I planned to write 3 cookies to there system including 'autologon enabled', 'username encrypted in SHA' and 'password encrypted in SHA'.

The catch is "it appears" if anyone accessed there system they could get the username and password SHA Hashes form the cookies and with a touch of skill use these to logon as the person. This is correct right?

Thinking about it I assume any system that keeps you logged in would have to use cookies like this and therefore is vulnerable to cookie theft. Is this correct?

Finally is there anyway I can implement autologon/keep me logged in - in a secure or more so secure fashion?

thankyou

Note: Facebook seems to do this - as I'm always logged in... I assume they have a secure method? assumption there...

Adam
  • 19,932
  • 36
  • 124
  • 207
  • (sorry for my rudeness) **1)** you don't set the password in a cookie **2)** You don't even use SHA in your DataBase let alone in a cookie, use Bcrypt or something similar **3)** Use HTTPS if you're serious. – HamZa May 20 '13 at 08:42
  • http://stackoverflow.com/questions/7591728/designing-a-secure-auto-login-cookie-system-in-php – Adam May 20 '13 at 09:54
  • http://stackoverflow.com/questions/1382303/php-autologin-function-to-login-script - above 2 links were very helpful :) – Adam May 20 '13 at 09:54

1 Answers1

1

If anyone accessed there system, he could steal the whole base of users, so you shouldn't worry about stealing your private key.

Anyway, if you don't want to keep user information in cookies, you could keep session keys in database: [user_id], [session_key], [expire_date] (records could be multiple to work with different computers). Cookie: session_key="mn2..23j". Then you should check if cookie matches database record.

Heavy
  • 1,861
  • 14
  • 25
  • In addition you could keep `[user_ip]` or any computer related information to avoid autologin with stolen cookies. But don't use it strictly: user could change his ip using public wifi-spots or something. – Heavy May 20 '13 at 10:04